Method for providing wireless application privilege management

ABSTRACT

A method for providing an administration policy to a user device comprising a plurality of applications, the method comprising centrally generating the administration policy to be implemented in the user device, the administration policy comprising at least one of an application administration policy to be used by at least one of the plurality of applications and a client administration policy for the user device; and providing the generated policy to the user device.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority under 35USC § 119(e) of U.S.provisional patent application 60/672,084, entitled “Method forproviding wireless application privilege management”, that was filedApr. 18, 2005, the specification of which is hereby incorporated byreference.

TECHNICAL FIELD

These embodiments relate to the field of wireless device applicationmanagement.

BACKGROUND

The current methods used to control application configuration andprivileges (AC&P) (also referred to as policies) are single dimensionalapplication configuration schemes.

More precisely, either an application configuration and privilege ishard-coded in a given application, through some more flexibleconfiguration process on a per-application basis, or the applicationconfiguration and privilege is applied to the whole wireless deviceitself.

The latter implementation lacks flexibility as all applications share,in such case, the same application configuration and privilege which isa drawback. The skilled addressee will appreciate that depending on theuser of a device, it might be desirable to have a given applicationconfiguration and privilege for a first given application while foranother given application it might be desirable to have anotherapplication configuration and privilege.

Furthermore it will be appreciated that in the case where the userdevice is a wireless user device it is very difficult to control theimplementation of the policies for a given user device especially in thecase where a large number of user device have to be configured orcontrolled.

Also, it will be appreciated that a lot of memory is wasted in the casewhere the policy is hard-coded for each application running on the userdevice. Furthermore, in such case, it is not possible to control oramend the policy for the application over time which is a major drawbackin the case where a user requires more rights.

There is a need for a method that will overcome at least one of theabove-mentioned drawbacks.

BRIEF DESCRIPTION OF THE DRAWINGS

Further features and advantages of the embodiments will become apparentfrom the following detailed description, taken in combination with theappended drawings, in which:

FIG. 1 is a block diagram which shows a plurality of wireless userdevices in which the embodiments may be implemented;

FIG. 2 is a block diagram which shows an embodiment of a user device inwhich the method for providing a wireless privilege management may beadvantageously used; the user device comprises, inter alia, anapplication administration policy database and a client administrationpolicy database;

FIG. 3 is a flowchart which shows how a policy is provided to a userdevice according to one embodiment;

FIG. 4 is a flowchart which shows how a policy is generated according toan embodiment; according to first step, a client administration policyis created and according to a second step an application administrationpolicy is created;

FIG. 5 is a flowchart which shows how the application administrationpolicy is created according to an embodiment;

FIG. 6 is a flowchart which shows how a generated policy is provided tothe at least one user device; according to a first step the generatedpolicy is transmitted to the at least one user device while according toa second step the transmitted policy is installed in the user device;and

FIG. 7 is a flowchart which shows how the transmitted policy isinstalled in the user device.

It will be noted that throughout the appended drawings, like featuresare identified by like reference numerals.

DETAILED DESCRIPTION

According to a broad aspect of the embodiments, there is provided amethod for providing an administration policy to a user devicecomprising a plurality of applications, the method comprising centrallygenerating said administration policy to be implemented in the userdevice, the administration policy comprising at least one of anapplication administration policy to be used by at least one of theplurality of applications and a client administration policy for saiduser device; and providing the generated policy to said user device.

According to another broad aspect of the embodiments, there is provideda method for implementing an administration policy in a wireless userdevice comprising a plurality of applications, the method comprisingreceiving, from a central location, said administration policy to beimplemented in the wireless user device, the administration policycomprising at least one of an application administration policy to beused by at least one of the plurality of applications and a clientadministration policy for said user device; and installing the receivedpolicy in the wireless user device.

According to yet another broad aspect of the embodiments, there isprovided an application gateway adapted to enable remote administrationof one or more managed server units of a data network using a userdevice of a wireless network, the application gateway comprising: meansfor managing a provisioning of an administration policy to a user devicecomprising a plurality of applications, said provisioning comprising:generating said administration policy to be implemented in said userdevice, said administration policy comprising at least one of anapplication administration policy to be used by at least one of theplurality of applications and a client administration policy for saiduser device; and providing said administration policy to said userdevice.

Now referring to FIG. 1, there is shown an embodiment of a systemwherein the embodiments may be performed advantageously. The systemcomprises a server unit 10, a network 12, a plurality of transmittingdevices 16 and a plurality of user devices 18.

The server unit 10 is adapted for providing a signal to send to theplurality of user devices 18. The server unit 10 may comprise any typeof processing unit that is connected permanently or temporarily with theplurality of user devices 18.

The network 12 comprises at least one of a Local Area Network (LAN), aMetropolitan Area Network (MAN) and a Wide Area Network (WAN). In anembodiment, the network 12 comprises a Wide Area Network which is theInternet. Network 12 may also comprise an Application Gateway (notshown).

The plurality of transmitting devices 16 comprises wireless transmittersadapted to transmit data to the plurality of user devices 18. Theplurality of user devices 18 comprises devices that are adapted toprocess at least data. In one embodiment, shown in FIG. 1, the pluralityof user devices 18 are wireless user devices. It should be appreciatedthat various types of devices may be used such as Personal DigitalAssistants (PDAs), smart phones, etc. In an embodiment, the plurality ofuser devices 18 comprises Blackberry™ devices which are manufactured byResearch In Motion Limited. It will be appreciated by the skilledaddressee that the plurality of user devices 18 comprises a plurality ofapplications, each operating according to policies that may beimplemented and monitored by an operator according to the methoddisclosed hereinafter.

More precisely, the server unit 10 is adapted to provide to the network12, inter alia, a signal to send. At least one of the plurality oftransmitting devices 16 is adapted to transmit a signal to at least oneof the plurality of user devices 18.

The application gateway 13 of network 12 handles request/responsemessages initiated by the applications on the devices 18, as well assubscription notifications pushed to the devices 18 from the server unit10. The Application Gateway can function as a Data Mapping Server formediating messaging between a client runtime environment (RE) on thedevices 18 and a backend server of server unit 10. The RuntimeEnvironment (RE) is an intelligent container that executes applicationcomponents and provides common services as needed for execution of theapplications. The application gateway can provide for asynchronousmessaging for the applications and can integrate and communicate withlegacy server units such as server unit 10. The devices 18 transmit andreceive wireless component applications, as further described herein, aswell as transmit/receive messaging associated with operation of theapplications. The devices 18 can operate as web clients of the serverunit 10 through execution of the applications when provisioned onrespective runtime environments (RE) of the devices 18. As describedfurther herein, application gateway 13 may be adapted to provide apolicy administration service to client devices 18 providing policiesover the air, for example, to control application administrativepolicies and client administrative policies independently.

Now referring to FIG. 2, there is shown an embodiment of a user device18 in which the method for providing an administration policy may beadvantageously used.

The user device 18 comprises a processing unit 20, a user interface 22,a communication unit 24, an application container 26 and a policystoring database 28. The processing unit 20 is adapted to process data.The processing unit 20 may be any suitable processor. The user interface22 is adapted to provide an interface to a user using the user device 18for interacting with at least one application. In an embodiment, theuser device 22 comprises a keyboard.

The communication unit 24 is adapted to provide communication capabilitybetween the user device 18 and at least one transmitting device 16. Inan embodiment, the communication unit 24 is a wireless communicationinterface.

The application container 26 provides a RE for executing a plurality ofapplications in the user device 18. The skilled addressee willappreciate that application container 26 may facilitate the execution ofapplications providing various functionality but particularly thosesuitable for communicating with remote data sources such as web servicesand the like through a stateful proxy such as the application gateway.

The policy storing database 28 comprise a client administration policydatabase 30 and an application administration policy database 32.

It will be appreciated that the client administration policy comprisedin the client administration policy database 30 is used to manageadministration and privilege of the user device 18 at the user level.

It will be further appreciated that the application administrationpolicy comprised in the application administration policy database 32 isused to provide a management of an individual application.

More precisely, the communication unit 24 provides a received policysignal to implement to the processing unit 20. In response to thereceived policy signal to implement, the processing unit 20 provides aclient administration policy signal to the client administration policydatabase 30. The processing unit 20 further provides an applicationadministration policy signal to the application administration policydatabase 32.

An application of the application container 26 may provide anadministration policy request signal to the processing unit 20. It willbe appreciated that in an embodiment, the policy request signalcomprises an indication of a given policy to use to uniquely identify apertinent policy to use. In response to the policy request signalprovided to the processing unit 20, the latter provides a request for apolicy for a given application to the application administration policydatabase 32. It will be appreciated that in an embodiment, the requestfor a policy for a given application comprises an indication of thegiven policy to use.

In response to the request for a policy for a given application, theapplication administration policy database 32 provides a correspondingadministration policy signal for the given application to the processingunit 20. The processing unit 20 then provides a received correspondingapplication policy signal to the application comprised in theapplication container 26.

Now referring to FIG. 3, there is shown how a policy is provided to auser device 18 according to one embodiment.

According to step 34, an administration policy to implement in at leastone user device comprising a plurality of applications is generated. Inan embodiment, the policy to implement in at least one user device isgenerated by an operator using the server unit 10. The operatorgenerates the policy to implement according to various information suchas a type of application to use in the wireless user device, type ofuser operating the wireless user device, etc.

According to step 36, the generated policy is provided to at least onedevice.

Now referring to FIG. 4, there is shown how a policy is generatedaccording to an embodiment.

More precisely, according to step 38, a client administration policy iscreated. As mentioned earlier, the client administration policy iscreated by an operator.

According to step 40, an application administration policy is createdfor at least one application. As mentioned earlier the applicationadministration policy is created by an operator.

While it has been shown that the client administration policy is createdprior to the application administration policy for the at least oneapplication, the skilled addressee would appreciate that it may bepossible to create the application administration policy for the atleast one application prior to the creating of the client administrationpolicy.

Now referring to FIG. 5, there is shown how the applicationadministration policy is created according to an embodiment.

According to step 42, a set of rules to apply to for at least oneapplication of the user device is created. It will be appreciated thatpreferably the operator is creating the set of rules.

According to step 44, an identifier is assigned to the set of rulescreated. It will be appreciated that the identifier is created manuallyby the operator in an embodiment while in another embodiment, theidentifier may be created automatically. It will be further appreciatedthat the identifier may be any one of a number, a character string, orthe like. It will be appreciated that the identifier is used to uniquelyidentify the set of rules that was created according to step 42.

Now referring to FIG. 6, there is shown how a generated policy isprovided to at least one user according to an embodiment.

According to step 50, the generated policy is transmitted to the atleast one user device. It will be appreciated that in an embodiment, thegenerated policy to the at least one user device is transmitted over awireless link. More precisely, the generated policy is transmitted fromthe server unit 10 to one of the transmitting unit 16 via the network 12and then to the user device 18 over the wireless link. In such case, thecommunication unit 24 receives a policy signal to implement and providesthe received policy signal to implement to the processing unit 20.

According to step 52, the transmitted generated policy is installed inthe at least one user device 18. In an embodiment, the transmittedgenerated policy is installed in a policy storing database 28.

Now referring to FIG. 7, there is shown an embodiment which shows howthe transmitted policy is installed in the user device 18.

According to step 60, the client administration policy transmitted isinstalled. In an embodiment, the client administration policytransmitted is installed in the client administration policy database30.

According to step 62, the application administration policy transmittedis installed. In an embodiment, the application administration policytransmitted is installed in the application administration policydatabase 32.

While it has been disclosed that the client administration policytransmitted is installed prior the application administration policytransmitted, the skilled addressee should appreciate that theapplication administration policy transmitted might be installed priorto the client administration policy transmitted.

Moreover, the skilled addressee will appreciate that the clientadministration policy may be transmitted at a different time than theapplication administration policy. The skilled addressee will thereforeappreciate that such method provides a central administrative controlover access right and functional privilege of wireless applicationsespecially those that interact with a server and/or service provider ofthe user device 18.

It is therefore much easier and efficient to be able to control a policyof a large number of user devices 18. Furthermore, using an over the airstrategy may be very convenient as it enables a quick enforcement of apolicy to a large number of wireless user devices.

Furthermore, the skilled addressee will appreciate that such methodenables to have a two dimensional control of privileges. The skilledaddressee will further appreciate that the fact that clientadministration policy database 30 and the application administrationpolicy database 32 are stored separately from an individual applicationenable them to be updated over the air at any time.

It will be further appreciated that a plurality of applications of theapplication container 26 might share a same application administrationpolicy. The use of the identification disclosed at step 44 enablestherefore more than one application to share a given applicationadministration policy and therefore minimizes the usage of storage spacein the user device 18, which is greatly appreciated.

Moreover, such reuse of application administration policy by more thanone application minimizes air-time usage and download time which isadvantageous for the operator of a plurality of user devices 18.

Also, the fact that the application administration policy database 32 isseparated from the client administration policy database 30 enables eachof the two to be updated independently from one another again minimizingairtime usage as well as download time. Though described with referenceto an application gateway which performs a plurality of services (e.g.administration services provisioning RE with policies etc., proxy andother communications services including mapping messages forfacilitating communications between clients and remote servers, etc.),other network servers may be adapted to provide one or more of suchservices.

While illustrated in the block diagrams as groups of discrete componentscommunicating with each other via distinct data signal connections, itwill be understood by those skilled in the art that embodiments areprovided by a combination of hardware and software components, with somecomponents being implemented by a given function or operation of ahardware or software system, and many of the data paths illustratedbeing implemented by data communication within a computer application oroperating system. The structure illustrated is thus provided forefficiency of teaching the present embodiments.

It should be noted that the embodiments can be carried out as a method,can be embodied in a system, a computer readable medium or an electricalor electro-magnetical signal.

The embodiments described above are intended to be exemplary only. Thescope of the embodiments is therefore intended to be limited solely bythe scope of the appended claims.

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by any one of the patentdocument or patent disclosure, as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever.

1. A method for providing an administration policy to a user devicecomprising a plurality of applications, said method comprising:centrally generating said administration policy to be implemented insaid user device, said administration policy comprising at least one ofan application administration policy to be used by at least one of theplurality of applications and a client administration policy for saiduser device; and providing said administration policy to said userdevice.
 2. The method as claimed in claim 1, wherein said user device isa wireless device, further wherein said administration policy isprovided over-the-air to said wireless device.
 3. The method as claimedin claim 2, wherein said generating of said policy to be implemented insaid user device is performed by an operator managing a plurality ofuser devices.
 4. The method as claimed in claim 3, wherein said policycomprises a plurality of application administration policies, each beingassigned to at least one of the plurality of applications, furtherwherein each of the plurality of application administration policies isuniquely identified using an identifier.
 5. The method as claimed inclaim 4, wherein said identifier is generated automatically.
 6. Themethod as claimed in claim 5, wherein said identifier is generated bysaid operator.
 7. The method as claimed in claim 1, wherein saidproviding of said generated policy to said user device comprisestransmitting said generated policy to said user and installing thetransmitted generated policy in said user device.
 8. The method asclaimed in claim 7, wherein said installing of said transmittedgenerated policy in said user device comprises installing said clientadministration policy and installing said application administrationpolicy.
 9. The method as claimed in claim 8, wherein said installing ofsaid client administration policy comprises storing said clientadministration policy in a client administration policy database. 10.The method as claimed in claim 9, wherein said installing of saidapplication administration policy comprises storing said applicationadministration policy in an application administration policy database.11. The method as claimed in claim 10, wherein applicationadministration policy database is distinct from said clientadministration policy database.
 12. A computer readable memorycomprising a plurality of instructions which when executed perform themethod as claimed in any one of claims 1-13.
 13. A method forimplementing an administration policy in a wireless user devicecomprising a plurality of applications, said method comprising:receiving, from a central location, said administration policy to beimplemented in said wireless user device, said policy comprising atleast one of an application administration policy to be used by at leastone of the plurality of applications and a client administration policyfor said wireless user device; and installing said received policy insaid wireless user device.
 14. The method as claimed in claim 13,wherein said policy is received over a wireless link.
 15. The method asclaimed in claim 14, wherein said installing of said received policy insaid wireless user device comprises storing said client administrationpolicy in a client administration policy database and storing saidapplication administration policy in a application administration policydatabase.
 16. A computer readable memory comprising a plurality ofinstructions which when executed perform the method as claimed in anyone of claims 13-15.
 17. An application gateway adapted to enable remoteadministration of one or more managed server units of a data networkusing a user device of a wireless network, the application gatewaycomprising: means for managing a provisioning of an administrationpolicy to a user device comprising a plurality of applications, saidprovisioning comprising: generating said administration policy to beimplemented in said user device, said administration policy comprisingat least one of an application administration policy to be used by atleast one of the plurality of applications and a client administrationpolicy for said user device; and providing said administration policy tosaid user device.